If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

network reporting strange local loopback activity

I have a small home network consisting of two computers. My host machine is running a software firewall called kerio, it comes with built in IDS. I set up my client machine with a syslog daemon to capture my firewall logs.

My logs are being filled with "BAD-TRAFFIC loopback traffic" and port scans. This seems to me to be a missconfiguration somewhere.

I searched google and found dozens of posts regarding these alerts, but non of the responces made sence to me or fully answered the question,

some said it was a mis configured DHCP, and this makes some sence because my ISP uses that, but others refered to a link regarding egress,

I don't fully understand what is going on and what I can do to reduce the amount of allerts.

Ive attached a copy of my log, can some please explain to me whats going on.

Just guessing here based on what info is in the logs but looks like an attempt to "spoof" using private addressing or localhost addressing. The first set of queries (ICMP PING CyberKit 2.2 Windows) might be Nachia or a similar worm. (see this for more info: http://vil.nai.com/vil/content/v_100559.htm ). The spoofed packets might also be the propogation effects of the worm.

It's probably spoofing of the ip-address , it gets explained even when you follow the link that you can find in the log " http://rr.sans.org/firewall/egress.php " it explains what egress filtering is and also explains what spoofing is (to some extend).
But the packets get dropped as you can also see in the log so I asume your safe, but better find out where it's comming from just to be sure..;if it's from outside you network you're probably safe .

Thanks for this info, I was unaware someone or a worm could spoof themselfs to look like my network. Im sure glad they are being dropped then. It dose not make sence however why the port scans are being alowed.

tracert on 208.254.46.52 reported belonging to a uunet, my isp owns 24.100.0.0 - 24.102.255.255, I think the port scans are external, it concerns me that these scans are being permited.

I finaly downloaded adobe acrobatic reader, which is why I was unable to read the paper from sans last night discribeing the local loopback reports, but I think I am understanding now. So realy there is nothing I can do then since it is not belonging to my network, corect?

Sure there is. You could still file a complaint with the ISP it comes from. Some isps may inform their users of infection. Can't hurt but might help. At worse they will do nothing. At best they will help the user.